[原文]Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.

-
漏洞描述

Dia contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the program is used to open a file using the 'Open Diagram' dialog box and if the file name contains format string characters. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

-
时间线

公开日期:
2006-05-05

发现日期:
Unknow

利用日期:Unknow

解决日期:Unknow

-
解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

-
漏洞讨论

Dia is prone to a remote format-string vulnerability.

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to open the malicious file with the affected application.

A successful attack may crash the application or lead to arbitrary code execution.

This issue affects Dia versions 0.95 and earlier.

-
漏洞利用

The following filename is sufficient to demonstrate this issue:%p%p%p%p.bmp

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com